[UNIX] xloadimage NIFF Buffer Overflows

• Previous message: SecuriTeam: "[NEWS] Kaspersky Anti-Virus Engine CHM File Parser Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Oct 2005 11:04:04 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  xloadimage NIFF Buffer Overflows
------------------------------------------------------------------------

SUMMARY

xloadimage "allows loading of images into an X11 window or onto the root
window". Ariel has discovered three buffer overflows in xloadimage when
handling the image title name of NIFF files.

DETAILS

Vulnerable Systems:
 * xloadimage version 4.1-r3
 * xloadimage version 4.1-14.2

Unlike most of the supported image formats in xloadimage, the NIFF image
format can store a title name of arbitrary length as part of the image
file.

When xloadimage is processing a loaded image, it is creating a new Image
object and then writing the processed image to it. At that point, it will
also copy the title from the old image to the newly created image.

The 'zoom', 'reduce', and 'rotate' functions are using a fixed length
buffer to construct the new title name when an image processing is done.
Since the title name in a NIFF format is of varying length, and there are
insufficient buffer size validations, the buffer can be overflowed.

A malicious user can construct a NIFF file that when viewed and processed
(with either zoom, reduce or rotate) by xloadimage, will cause the program
to overwrite the return address and execute arbitrary code.

Proof of concept for the 'zoom' image processing bug, tested on a x86
computer running Gentoo Linux:
emerge xloadimage
xloadimage -zoom 20
<http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&q=p4>
small.niff

This will execute '/bin/sh'.

Note: some systems may have the (/proc/sys/kernel/)randomize_va_space
option enabled, which will cause the program to crash instead of executing
/bin/sh in most cases. Using a larger NIFF file (
<http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&q=p3>
large.niff.gz [800KB unzipped]), it is possible to execute arbitrary code
even when the random address space option is enabled (with about 33%
success rate).

The 'reduce' and 'rotate' bugs are similar, but require a slightly
different NIFF file and different ( processing options.

The bugs are in:
 * zoom.c, zoom() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].
 * reduce.c, reduce() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].
 * rotate.c, rotate() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].

ADDITIONAL INFORMATION

The information has been provided by <mailto:aberkm1@uic.edu> Ariel
Berkman.
The original article can be found at:
<http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2>
http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Kaspersky Anti-Virus Engine CHM File Parser Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]